The increasing sophistication of site specific attacks based on man-in-the-middle (MITM) and man-in-the-browser (MITB) techniques has profound implications for our current authentication techniques. Specifically, the strength of the initial login authentication is increasingly becoming less relevant as these attacks manipulate transactions after the legitimate user has provided the initial credentials to login. In reaction to this trend, leading organizations have begun deploying transaction authentication systems, such as EMV-CAP based token authenticators, or have been using out of band authentication (OOBA) techniques to ensure that the user actually intended the transaction being seen at the back end. However, such approaches are inherently not easy to use and consequently, even when deployed, are generally used only for high risk transactions or occasional events like profile changes. For the vast majority of transactions no current authentication solution provides a reasonable point in the “How easy? How secure? How costly?” trade-off.
In prior work (see the related applications identified above), we described innovations that address some of the problems with conventional authentication systems. Specifically, we introduced the notion of using quasi out of band authentication (QOOBA) techniques to ensure that the user actually intended the transaction being seen at the back end. We also described how these techniques can be used to provide a user with a one time password (OTP) to enable login into a web site (i.e. authentication of the user to the website), based on a secret shared between the web site and a QOOBA security server. Thus these techniques can be used to provide the security of one time passwords, but do not require a per user shared secret which all prior one time password systems have required.
The innovations described herein further extend our prior work to address the issue of providing an authentication solution for the vast majority of transactions at a reasonable point in the “How easy? How secure? How costly?” trade-off.